Another Vester Test file generator and more vCenter checks

07/10/2019

Some time after finishing the “Vester Test file generator”, I was wondering how to get more configuration settings out of a vCenter Server. Then I realized that vCenter Servers also contain a large number of advanced settings.

 

 

 

To get an overview of ALL Advanced Settings in vSphere, connect to a vCenter Server and run the following line:

PS> Get-AdvancedSetting -Entity *

In the output you will discover three large groups:
VIServer, vCenter Server settings
VMHost, ESXi host settings (see other Vester Generator)
VM, Virtual machine settings

And finally, two small groups “Compute Cluster DRS” (9 settings) and “Datastore Cluster” (3 settings).

The script New-VesterVcenterAdvanced.ps1 will create >200 new Vester Checks, based on the VIServer group, which can read and write vCenter Server Advanced settings. The script requires one mandatory parameter; the FQDN or IP address of a vCenter Server, so no need to connect to a vCenter Server beforehand.
The generated Vester checks will be written in the current folder.

To distinguish the generated Vester checks from other files, all file names start with “VCAS-” (vCenter Advanced Setting) and contain the name of the Advanced Setting, e.g. “VCAS-ConfigLogLevel.Vester.ps1”, for “config.log.level”. After generating the files, you can decide which checks you want to add to the folder containing the vCenter checks.

But there is more! There are still a number of important settings which we can check on an ESXi host but not on a vCenter Server Appliance (vCSA); to name a few: DNS, NTP, access settings and local users.

With the introduction of vSphere 6.5, new vREST API’s where introduced, the VCSA API is one of these (more info here).
William Lam wrote a nice series of posts how to make good use of this new functionality. I can also recommend to check out his PowerShell VAMI module.

I have created a series of new checks which can read and (in most cases) write VAMI settings.
The only prerequisite is setting up a connection to the vSphere Automation SDK server with the Connect-CisServer cmdlet, like:

PS> Connect-CisServer -Server vc06.virtual.local -Credential $creds

Probably unnecessary to say, for the older checks, you still need to establish a connection with the vCenter server, using the Connect-VIServer cmdlet.

The new checks can be found here. The names of the checks based on the VCSA API, all start with “VAMI-”, like: “VAMI-ApplianceNetworkingDNSServers.Vester.ps1”.

The next section shows a portion of a Vester configuration file with the new VAMI checks.



"vCenter": {
           "accessConsolecli": true,
           "accessDcui": true,
           "accessShellBashEnabled": false,
           "accessSsh": true,
           "NetworkingDnsMode": "is_static",
           "NetworkingDnsServers": [
               "192.168.0.31",
               "192.168.0.32"
              ],
           "SystemBuild": "9451637",
           "SystemTimeTimezone": "UTC",
           "SystemVersion": "6.5.0.22000",
           "TechpreviewLocalAccountsUser": [
               "root",
               "dnsmasq"
              ],
           "TechpreviewMonitoringSnmpEnabled": false,
           "TechpreviewMonitoringSnmpPort": 161,
           "TechpreviewNTPServers": [
               "1.pool.ntp.org",
               "0.pool.ntp.org"
              ],
           "TechpreviewTimesyncMode": "NTP",
           "vc": "vc06.virtual.local"
},

As always, I thank you for reading and welcome your comments.

This is the sixt part of a series about configuration drift, Vester and DSC.
Overview of all posts in this series:

About Configuration Drift, Pester and Vester

Tips for writing Vester test files, part 1

Tips for writing Vester test files, part 2

Creating Dashboards for Vester

Vester Test file generator

Securing DSC resources for VMware


About VMSA, CVE, CVSS and more

19/09/2019

A while back I was alerted to something remarkable regarding the VMware security bulletins. But let me first provide some background on these bulletins.

Regularly VMware publishes VMware Security Announcements, also known as VMSA’s.

Fig. 1 – Example VMSA

As VMware states; “VMware Security Advisories document remediation for security vulnerabilities that are reported in VMware products”. The bulletins are created by the VMware Security Response Center (VSRC). The VSRC works closely with customers and security researchers on the analysis and remediation of security issues within VMware products. After validating a report, the VSRC works with VMware R&D on providing solutions. Upon the remediation of an issue a VMSA will be released.
If you don’t receive notifications on the release of new VMSA’s, on this page (or here) you can sign up for the Security Advisories and fond more information.

The latest security advisories can be found on this page. A comprehensive overview over the past years can be found here.

Read the rest of this entry »


Securing DSC resources for VMware

28/08/2019

Recently DSC Resources for VMware 2.0 was released. This new version comes with a lot of new resources and other features, like availability in the PowerShell Gallery. If DSC Resources for VMware is completely new,
I recommended reading the “Getting started” blog post, but do not follow the installation instructions. Instead install directly from the PowerShell Gallery, use something like this:

PS> Find-Module *VMware.vSphereDSC* | Install-Module

So after exploring “Vester”, the other DSC solution, it is now time to have a look at the DSC Resources for VMware 2.0.

Disclaimer: Windows PowerShell Desired State Configuration (from now on “DSC”) is often used for configuration management of Windows systems and as such is new to me. This post focuses on the use of DSC in a vSphere environment.

My setup;  I used an old Windows Server 2012R2 as a LCM. The vSphere environment is a VCSA version 6.5 and two ESXi hosts.
This post contains links to some script. All files mentioned in this post can be downloaded from this location. Then on the LCM, create a new folder named C:\VMwareDSC and place all the files in this folder.

One of my first goals was to understand how to create a good configuration. Luckily, the VMware DSC module contains an example folder, and I selected the VMHost_Config.ps1 configuration, an sample script for configuring an ESXi host.

Read the rest of this entry »


Vester Test file generator

07/07/2019

In previous posts (see below), I presented some tips for creating new Vester Test files. As you may know, ESXi hosts have a large number of so called “Advanced System Settings” Some of these settings are already present as Vester test files. These Advanced System Settings can be handled with the Get-AdvancedSetting and Set-AdvancedSetting cmdlets. With this knowledge and some PowerShell code, it is not to difficult to create a complete set (>1.100) of Vester Test files.

The New-VesterHostAdvanced.ps1 script can be found here.

A brief description how it works. After connecting to a vCenter Server, one of the available ESXi hosts needs to be selected. The selected host will be used to create an overview of all available Advanced System Settings.

Key in creating the scripts is the concept of Here documents, in PowerShell known as Here-String. See for a brief overview. Key in Here-Strings is the usage of single or double quotes with variables. A Here-String with double quotes allows the usage of variables. Run the following code to see the difference.

$var = 'MyValue'
$formatText1 = @"
Here-String with double quotes
The variable $var
Variable replacement

"@
$formatText1

$formatText2 = @'
Here-String with single quotes
The variable $var
Test as-is
'@
$formatText2

Read the rest of this entry »


PsConf.eu 2019

10/06/2019

Some time ago, I was invited to visit the PowerShell Conference Europe, in short PSCONF.EU 2019. This conference took place between 4 and 7 June 2019 in the Hannover Congress Center in Germany. To get started a few numbers of Europe’s largest PowerShell event which is held annually since 2016; 350 delegates, 40 speakers and 1 dog from almost all European countries and the United States of America will present and attend over 75 presentations during these four days.

Fig.1 – Opening Ceremony

Read the rest of this entry »


VMware Learning Zone

05/05/2019

Introduction

On January 17th, I completed my VMware recertification. Just a few days later, VMware announced it’s new recertification policy, leaving out the mandatory two years recertification requirement. On March 1st, I received the following message from VMware; “As it’s been communicated with our recent changes to the VMware recertification policies, we have identified you as completing your Certification requirements by completing the Expired Recertification Path within the last six months. As a token of appreciation for the extra time and effort it involved, we are providing you a free one-year premium license to the VMware Learning Zone.”

For some reason that also reminded me of the past, after successfully passing a VMware VCP exam, you received an envelope with the certificate and a one-year license for VMware Workstation by mail.

Fig. 2

So time to redeem my free one-year premium license and share my first experiences.

Read the rest of this entry »


Creating Dashboards for Vester

03/04/2019

Introduction

In my first post about Vester, I ended the post with a number of items that needs further investigation. On top of my list is some kind of reporting function. After submitting an Invoke-Vester command lots of information scrolls over the screen.

Figure 1. – Output Invoke-Vester

Most administrators will not agree with an unseen remediation of the errors found and desire some kind of overview. It would also be nice to have some kind of overview while running Invoke-Vester as a scheduled job. Fortunately, one of my colleagues (Thank you Alex!) gave me the idea to create a dashboard. As there are many monitoring and dashboards product available like Grafana and Graphite there is also the PowerShell Universal Dashboard module. The PowerShell Universal Dashboard comes in a licensed Enterprise Edition and a free Community edition, documentation can be found here.

Installation is done by installing the module:


Install-Module UniversalDashboard.Community -AcceptLicense

To test UD, run the following code


$MyDashboard = New-UDDashboard -Title "Hello, World" -Content {

New-UDCard -Title "Hello, my first universal dashboard!"

}

Start-UDDashboard -Port 10000 -Dashboard $MyDashboard -Name 'HelloDashboard'

Start a browser and enter URL: http://localhost:10000, this should show this:

Figure 2.

For a nice introduction in Universal Dashboard, please read this post by Nicolas Prigent.

Read the rest of this entry »